Some More Functions 
That Are Not APN Infinitely Often. 
Tfie Case of Kasami exponents 

Frangois Rodier 
Abstract 

We prove a necessary condition for some polynomials of Kasami 
degree to be APN over F^n for large n. 

1 Introduction 

The vector Boolean functions are used in cryptography to construct block 
ciphers and an important criterion on these functions is high resistance to 
differential cryptanalysis. 

Let q = 2"" for some positive integer n. A function / : — > ¥q is said 
to be almost perfect nonlinear (APN) on ¥q if the number of solutions in ¥q 
of the equation 

f{x + a)+f{x) = b 

is at most 2, for all a,b & Fg, a ^ 0. Because ¥q has characteristic 2, the 
number of solutions to the above equation must be an even number, for any 
function / on Fg. This kind of function has a good resistance to differential 
cryptanalysis as was proved by Nyberg in [8]. 

So far, the study of APN functions has focused on power functions. 
Recently it was generalized to polynomials (cf. 

There are many classes of function for which it can be shown that each 
function is APN for at most a finite number of extensions. So we fixe a finite 
field ¥q and a function / : Fg — )• Fg given by a polynomial in ¥q[x] and we 
set the question of whether this function can be APN for an infinite number 
of extensions of ¥q . 

In this approach, Hernando and McGuire [5] showed a result on the clas- 
sification of APN monomials which has been conjectured for 40 years: the 
only exponents such that the monomial x'^ are APN over infinitely many 



extension of F2 are of the form 2* + 1 or 4* — 2* + 1. One calls these expo- 
nents exceptional exponents. Then it is natural to formulate for polynomial 
functions the following conjecture. 

Conjecture 1.1 (Aubry, McGuire and Rodier) A polynomial on ¥q 
can be APN for an infinity of extensions of ¥q only if it is CCZ equiva- 
lent (as was defined by Carlet, Charpin and Zinoviev in J^) to a monomial 
where t is an exceptional exponent. 

Some cases for / of small degree have been proved by the author [9]. We 
showed there that for some polynomial functions / which are APN on F^, 
the number m is bounded by an expression depending on the degree of /. 

We used it for a method already used by Janwa who showed, with the 
help of Weil bounds, that certain cyclic codes could not correct two errors 
[6]. Canteaut showed by the same method that some power functions were 
not APN for a too large value of the exponent [3] . We were able to generalize 
this result to all polynomials by applying Lang- Weil's results. 

Some cases of this conjecture have been studied already, in particular 
the case of Gold degree. We recall them in section [3l In this paper, we will 
study polynomials of Kasami degree. The proofs happen to be somehow the 
same as in Gold degree, with a few changes anyway. 



2 Preliminaries 

We define 

f{x) + f{y) + f{z) + f{x + y + z) 



[x,y,z) 



{x + y){x + z){y + z) 



which is a polynomial in ¥q[x,y,z]. This polynomial defines a surface X in 
the three dimensional affine space 

If X is absolutely irreducible (or has an absolutely irreducible component 
defined over Fg) then / is not APN on F^n for all n sufficiently large. As 
shown in [^9], this follows from the Lang- Weil bound for surfaces, which 
guarantees many F^n-rational points on the surface for all n sufficiently 
large. 

We call (j)j{x,y,z) the <j) function associated to the monomial x^ . The 
function 4>j{x, y, z) is is homogeneous of degree j — 3. 

We recall a result due to Janwa, Wilson, [65 Theorem 5] about Kasami 
exponents. 
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Theorem 2.1 If f{x) = x^^*" ^^^^ then 

(t>{x,y,z)= Yi Pa{x,y,z) (1) 

aeF2fe-F2 

where for each a, Paix, y, z) is an absolutely irreducible polynomial of degree 
2*^ + 1 on such that Pa{x,0, 1) = (x - a)^'°+^ 



3 Some Functions That Are Not APN Infinitely 
Often 

The best known examples of APN functions are the Gold functions x^'''^^ 
and the Kasami- Welch functions x^ ~^ These functions are defined over 
F2, and are APN on any field where gcd{k,m) = 1. For other odd 
degree polynomial functions, we can state a general result. 

Theorem 3.1 (Aubry, McGuire and Rodier, |JLj) // the degree of the 
polynomial function f is odd and not a Gold or a Kasami-Welch number 
then f is not APN over F^n for all n sufficiently large. 

In the even degree case, we can state the result when half of the degree 
is odd, with an extra minor condition. 

Theorem 3.2 (Aubry, McGuire and Rodier, [Ij) // the degree of the 
polynomial function f is 2e with e odd, and if f contains a term of odd 
degree, then f is not APN over ¥qn for all n sufficiently large. 

In |10j we have some results for the case of polynomials of degree 4e 
where e is odd. 

Theorem 3.3 // the degree of the polynomial function f is even such that 
deg(/) = 4e with e = 3 (mod 4), and if the polynomials of the form 

{x + y){y + z){z + x) + P 

with 

P{x, y, z) = ci(a;^ + + z^) + C4,{xy + xz + zy) + bi{x + y + z) + d (2) 

for ci,C4,bi,d E F^a, do not divide (j) then f is not APN over F^n for n 
large. 
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We have more precise results for polynomials of degree 12. 

Theorem 3.4 // the degree of the polynomial f defined over ¥q is 12, then 
either f is not APN over F^n for large n or f is CCZ equivalent to the Gold 
function . In this case f is of the form 

L{x^) + Li or {Lix)f + Li 

where L is a linearized polynomial 

2 

c is an element of F^a such that c+c'^+c'^ = and Li is a q-affine polynomial 
of degree at most 8 (that is a polynomial whose monomials are of degree 
or a power of 2). 

We have some results on the polynomials of Gold degree d = 2^ + 1. 

Theorem 3.5 (Aubry, McGuire and Rodier, [Ij) Suppose f{x) = x'^+ 
g{x) where deg{g) < 2*^"-^ + ! . Let g{x) = Y1']=q ajx^ . Suppose moreover 
that there exists a nonzero coefficient aj of g such that 4)j{x, y, z) is absolutely 
irreducible (where 4>i{x,y,z) denote the polynomial (t){x,y,z) associated to 
x^). Then f is not APN over F^n for all n sufficiently large. 

4 Polynomials of Kasami Degree 

Suppose the degree of / is a Kasami number d = 2^^ — 2^ + 1. Set d to be 
this value for this section. Then the degree of (/> is d — 3 = 2^^ — 2^ — 2. We 
will prove the absolute irreducibility for a certain type of /. 

Theorem 4.1 Suppose f{x) = x'^ + g{x) where deg{g) < 2^*^"^ — 2^^"^ + 1 . 
Let g{x) = X]j=o o,jX^ . Suppose moreover that there exists a nonzero co- 
efficient aj of g such that (j)j{x, y, z) is absolutely irreducible. Then (pix, y, z) 
is absolutely irreducible. 

Proof: Suppose (j){x,y,z) = P{x,y,z)Q{x,y,z) with degP > degQ. 
Write each polynomial as a sum of homogeneous parts: 

d 

J2aj^jix,y,z) = {Ps + Ps-i + ■ ■ ■ + Po){Qt + Qt-i + ■ ■ ■ + Qo) (3) 
i=3 
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where Pj,Qj are homogeneous of degree j. Then from the Theorem (|2.ip 
we get 

PsQt= Yi P»{x,y,z). 

In particular this imphes that Pg and Qt are relatively prime as the product 
is made of distinct irreducible factors. 

The homogeneous terms of degree less than d—3 and greater than 2^'^^^ — 
2^-1 ^j-g ]-)y ^]^g assumed bound on the degree of g. Equating terms of 
degree s + 1 — 1 in the equation ^ gives PgQt-i + Ps-iQt = 0. Hence Ps 
divides Pg-iQt which implies Pg divides Pg-i because gcd{Ps,Qt) = 1, and 
we conclude Ps-i = as degPs_i < degPg. Then we also get Qt-i = 0. 
Similarly, Ps-2 = = Ps-~3 = = Qt-3, and so on until we get the 

equation 

PsQo + Ps-tQt = 

since we suppose that s > t. This equation implies Ps divides Pg-tQt, which 
implies Ps divides Ps-t, which implies Pg-t = 0. Since P, 7^ we must have 
Qo = 0. 

We now have shown that Q = Qt is homogeneous. In particular, this 
means that (j)j{x, y, z) is divisible by ^^(x, y, z) for some a G F2fc — F2 and for 
all j such that Oj / 0. We are done if there exists such a j with </>j(x, y, z) 
irreducible. Since y, z) is defined over F2 it implies that y, z) also, 
which is a contradiction with the fact that a is not in F2. 

□ 

Remark: The hypothesis that there should exist a j with 0j(x, y, z) is abso- 
lutely irreducible is not a strong hypothesis. This is true in many cases (see 
remarks in [1]). However, some hypothesis is needed, because the theorem 
is false without it. One counterexample is with g{x) = and k > A and 
even. 

Corollary 4.1 Suppose f{x) = x'^ + g{x) where g is a polynomial in ¥q[x] 

such that deg{g) < 2^''^^ - 2^-^ + 1 . Let g{x) = Y.f=o^'^ ^j^^ ■ Suppose 
moreover that there exists a nonzero coefficient Oj of g such that (j)j{x,y,z) 
is absolutely irreducible. Then the polynomial f is APN for only finitely 
many extensions of¥q. 
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4.1 On the Boundeiry of the First Case 

If we jump one degree more we need other arguments to prove irreducibility. 

Theorem 4.2 Let q = 2". Suppose f{x) = + g{x) where g{x) G Vq[x] 
and deg{g) = 2^'^"^ — 2^~^ + 2. Let k > 3 be odd and relatively prime to n. 
If g{x) does not have the form ax'^ "'"^ + a^x^ then (f) is absolutely 

irreducible, while if g{x) does have the form ax^^'' ^'^'^+a^x^ then either 
(j) is irreducible or (f) splits into two absolutely irreducible factors which are 
both defined over Fq . 

Proof: Suppose (f){x,y,z) = P{x,y, z)Q{x,y, z) with degP > degQ and 

let 

22fc-l_2'=-l+2 

9ix) = J2 ^ox^- 

j=0 

Write each polynomial as a sum of homogeneous parts: 

d 

aj(l)j{x, y, z) = {Ps + P,_i + • • • + Po){Qt + Qt-i + • • • + Qo)- 

i=3 

Then 

PsQt= Pa{x,y,z). 

aeFjfe -F2 

In particular this means Pg and Qt are relatively prime as in the previous 
theorem. 

Since s >t, we have s > 2^^~^ — 2^~^ — 1. Comparing each degree gives 
Ps_i = = Qt-ii Ps-2 = = Qt-2, and so on until we get the equation of 
degree s + 1 

PsQi + Ps-t+iQt = 

which implies P^-^+i = = Qi. 

If s ^ t then s > 2'^^-'^ - 2^'^. Note then that a^+a^^s+a = 0. The 
equation of degree s is 

-PsQo + Ps-tQt = ds+sfps+s = 0. 

This means that Pg-t = 0, so Qq = 0. We now have shown that Q = Qt 
is homogeneous. In particular, this means that (p{x,y,z) is divisible by 
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Pa{x,y,z) for some a G Fgfc — F2, which is impossible, as we wih show. In- 
deed, since the leading coefficient of g is not 0, the polynomial (?!>22fc-i_2fc-i+2 
occurs in (j); as 

<?!'22fc-i_2fc-i+2 = (t>l2k-2_2k-2+i{x + y){y + z){z + x), (4) 

this polynomial is prime to because \ipa{x,y, z) occurs in the polynomials 
i?!'22fc-i_2fc-i+25 then it will occur in (/>22fc-2_2fc-2+i. If that is the case, the 
polynomial Pq;(3^) Oj 1) = (x—a)^*'"'"^ would divide <;!!)22fc-2_2fc-2+i(x, 0, 1). One 
has 

{x + y){y + z){z + x)(/)22fc-2_2fe-2+i(x, y, z) 

^ ^22'=-2-2'=-2 + l _^ ^22'=-2-2'=-2 + l _^ ^22'=-2-2'=-2 + l _^ _^ ^ _^ ^-j22'=-2-2'=-2 + l 

hence 

X{X + l)<^2---2^-+l(^,0, 1) = -2^=-+! + 1 + + i)2^'=--2^-+l_ 

Let s = a; — a. We have, for some polynomial R: 

(s + a)(s + Q; + l)s^''+^ 
= (. + af'-'-^'-'+' + l + {s + a + 

92fc-2 9fc-2 1 1 92fc-2 9fc-2 9fc-2 92fc-2 9*;-! i i 

, _,92fc-2 9fc-2ii . ^.92fc-2 9^-2 9^-2, ^,92fc-2 9*;-! 11 9^-2 11 ^ 

+(a + l)^ ^^ + s{a + lf (a + 1) +^ + 

As a2'=-i = 1 we have a'^'^-' = a^'-'i?'-^) = 1. So 

(s + a)(s + a + l)s^*+^ 
= a + s + s^''"'a^-^''"' + 1 + (a + 1) + s + s^'°"'(a + 1)1-2*=-' _^ s'^'^'^ R{s) 
= s^'-'ia'-^'-' + (a + 1)1-2*-') ^ ^2'=-+i^(^) 

which is a contradiction. 

Suppose next that s = t = 2'^'^~^ — — 1 in which case the degree s 
equation is 

-PsQo + P^Qs = as+30s+3- 
If Qo = 0, then 

d 

<i>{x,y,z) = '^aj(t)j{x,y,z) = {Pg + Po)Qt 

j=3 
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which imphes that 

4^{x,y,z) = arf(/)rf(x,7/,z)+a22fc-i_2fc-i+2'/'22fc-i-2''-i+2(a^iy'^) = PsQt + PoQt 

and Pq / 0, since g ^ 0. So one has (/)22fc-i_2'=-i+2 divides 4>d{x-,y-,z) which 
is impossible by (jH). 

We may assume then that Pq = Qq. Then we have 

(P{x,y, z) = {Ps + Po)iQs + Qo) = PsQs + PoiPs + Qs) + Pq- (5) 

Note that this imphes aj = for ah j except j = 3 and j = s + 3. This 
means 

f{x) = x'^ + as+3x'^^ + asx^. 

So if f{x) does not have this form, this shows that is absolutely irreducible. 

If on the contrary (j) splits as {Pg + Po)iQs + Qo), the factors Ps + Pq and 
Qs + Qo are irreducible, as can be shown by using the same argument. 

Assume from now on that f{x) = x'^ + as+sx*"*"^ + a^x^ and that ([5]) 
holds. Then 03 = Pq, so clearly Pq = y/a^ is defined over Fg. We claim that 
Ps and Qs are actually defined over F2. 

We know from that PsQs is defined over F2. 

Also Po{Ps + Qs) = as+30s+3, so Ps + Qs = {as+3/y/a3)4>s+3- On the 
one hand, Ps + Qs is defined over F2fe by Theorem l2.1l On the other hand, 
since (j)s+3 is defined over F2 we may say that Ps + Qs is defined over ¥q. 
Because {k,n) = 1 we may conclude that Ps + Qs is defined over F2. Note 
that the leading coefficient of Ps + Qs is 1, so a^^^ = as- Whence if this 
condition is not true, then cp is absolutely irreducible. 

Let a denote the Galois automorphism x 1— )• x'^. Then PsQs = (^{PsQs) = 
a{Ps)(T{Qs), and Ps + Qs = <y{Ps + Qs) = (^{Ps) + cr{Qs)- This means a 
either fixes both Ps and Qs, in which case we are done, or else a interchanges 
them. In the latter case, a"^ fixes both Ps and Qs, so they are defined over 
F4. Because they are certainly defined over F2fc by Theorem 12.1^ and k is 
odd, they are defined over F2*: n F4 = F2. 

Finally, we have now shown that X either is irreducible, or splits into 
two absolutely irreducible factors defined over Fg. □ 

Remark: For A; = 3, the polynomial (j) corresponding to f{x) = x^^ + 
Q,^30 _j_ Q,2^3 ^]2ere a G Fg is irreducible. Indeed if it were not, we would 
have P27 and Q27 defined over F2, so by Theorem 12.11 we would have P27 = 
pp{x,y,z)pp2{x,y,z)pp4{x,y,z) and Q27 = Ppi{x,y,z)pp5{x,y,z)pp6{x,y,z) 
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for some f3 G Fg — F2. So, up to inversion, we would check that P27{x, 0, 1) = 
and Q27{x, 0, 1) = {l+x^+x^ f, hence P27{x, 0, l)+Q27lx, 0, 1) = 
(1 + X + 2;^)^ + (1 + + and one can check that this is not equal to 
03o(x,0, 1) as it should be. 
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